aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora persistence spyware stealer

Malware Config

Extracted

Family

aurora

C2

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

voiceadequovl.exevoiceadequovl.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	voiceadequovl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	voiceadequovl.exe

Executes dropped EXE 3 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exevoiceadequovl.exe

pid process

5092 voiceadequovl.exe
4968 voiceadequovl.exe
2528 voiceadequovl.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
5092	voiceadequovl.exe
4968	voiceadequovl.exe
2528	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

voiceadequovl.exe

description pid process target process

PID 4968 set thread context of 2528 4968 voiceadequovl.exe voiceadequovl.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

2720 powershell.exe
2720 powershell.exe
2400 powershell.exe
2400 powershell.exe

description	pid	process	target process
PID 4968 set thread context of 2528	4968	voiceadequovl.exe	voiceadequovl.exe

pid	process
2720	powershell.exe
2720	powershell.exe
2400	powershell.exe
2400	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

voiceadequovl.exepowershell.exepowershell.exewmic.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	4968	voiceadequovl.exe
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeIncreaseQuotaPrivilege	4668	wmic.exe
Token: SeSecurityPrivilege	4668	wmic.exe
Token: SeTakeOwnershipPrivilege	4668	wmic.exe
Token: SeLoadDriverPrivilege	4668	wmic.exe
Token: SeSystemProfilePrivilege	4668	wmic.exe
Token: SeSystemtimePrivilege	4668	wmic.exe
Token: SeProfSingleProcessPrivilege	4668	wmic.exe
Token: SeIncBasePriorityPrivilege	4668	wmic.exe
Token: SeCreatePagefilePrivilege	4668	wmic.exe
Token: SeBackupPrivilege	4668	wmic.exe
Token: SeRestorePrivilege	4668	wmic.exe
Token: SeShutdownPrivilege	4668	wmic.exe
Token: SeDebugPrivilege	4668	wmic.exe
Token: SeSystemEnvironmentPrivilege	4668	wmic.exe
Token: SeRemoteShutdownPrivilege	4668	wmic.exe
Token: SeUndockPrivilege	4668	wmic.exe
Token: SeManageVolumePrivilege	4668	wmic.exe
Token: 33	4668	wmic.exe
Token: 34	4668	wmic.exe
Token: 35	4668	wmic.exe
Token: 36	4668	wmic.exe
Token: SeIncreaseQuotaPrivilege	4668	wmic.exe
Token: SeSecurityPrivilege	4668	wmic.exe
Token: SeTakeOwnershipPrivilege	4668	wmic.exe
Token: SeLoadDriverPrivilege	4668	wmic.exe
Token: SeSystemProfilePrivilege	4668	wmic.exe
Token: SeSystemtimePrivilege	4668	wmic.exe
Token: SeProfSingleProcessPrivilege	4668	wmic.exe
Token: SeIncBasePriorityPrivilege	4668	wmic.exe
Token: SeCreatePagefilePrivilege	4668	wmic.exe
Token: SeBackupPrivilege	4668	wmic.exe
Token: SeRestorePrivilege	4668	wmic.exe
Token: SeShutdownPrivilege	4668	wmic.exe
Token: SeDebugPrivilege	4668	wmic.exe
Token: SeSystemEnvironmentPrivilege	4668	wmic.exe
Token: SeRemoteShutdownPrivilege	4668	wmic.exe
Token: SeUndockPrivilege	4668	wmic.exe
Token: SeManageVolumePrivilege	4668	wmic.exe
Token: 33	4668	wmic.exe
Token: 34	4668	wmic.exe
Token: 35	4668	wmic.exe
Token: 36	4668	wmic.exe
Token: SeIncreaseQuotaPrivilege	1740	WMIC.exe
Token: SeSecurityPrivilege	1740	WMIC.exe
Token: SeTakeOwnershipPrivilege	1740	WMIC.exe
Token: SeLoadDriverPrivilege	1740	WMIC.exe
Token: SeSystemProfilePrivilege	1740	WMIC.exe
Token: SeSystemtimePrivilege	1740	WMIC.exe
Token: SeProfSingleProcessPrivilege	1740	WMIC.exe
Token: SeIncBasePriorityPrivilege	1740	WMIC.exe
Token: SeCreatePagefilePrivilege	1740	WMIC.exe
Token: SeBackupPrivilege	1740	WMIC.exe
Token: SeRestorePrivilege	1740	WMIC.exe
Token: SeShutdownPrivilege	1740	WMIC.exe
Token: SeDebugPrivilege	1740	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1740	WMIC.exe
Token: SeRemoteShutdownPrivilege	1740	WMIC.exe
Token: SeUndockPrivilege	1740	WMIC.exe
Token: SeManageVolumePrivilege	1740	WMIC.exe
Token: 33	1740	WMIC.exe
Token: 34	1740	WMIC.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.execmd.exevoiceadequovl.execmd.execmd.exe

description	pid	process	target process
PID 4584 wrote to memory of 5092	4584	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 4584 wrote to memory of 5092	4584	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 4584 wrote to memory of 5092	4584	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 5092 wrote to memory of 4968	5092	voiceadequovl.exe	voiceadequovl.exe
PID 5092 wrote to memory of 4968	5092	voiceadequovl.exe	voiceadequovl.exe
PID 5092 wrote to memory of 4968	5092	voiceadequovl.exe	voiceadequovl.exe
PID 4968 wrote to memory of 2720	4968	voiceadequovl.exe	powershell.exe
PID 4968 wrote to memory of 2720	4968	voiceadequovl.exe	powershell.exe
PID 4968 wrote to memory of 2720	4968	voiceadequovl.exe	powershell.exe
PID 4968 wrote to memory of 2760	4968	voiceadequovl.exe	cmd.exe
PID 4968 wrote to memory of 2760	4968	voiceadequovl.exe	cmd.exe
PID 4968 wrote to memory of 2760	4968	voiceadequovl.exe	cmd.exe
PID 2760 wrote to memory of 2400	2760	cmd.exe	powershell.exe
PID 2760 wrote to memory of 2400	2760	cmd.exe	powershell.exe
PID 2760 wrote to memory of 2400	2760	cmd.exe	powershell.exe
PID 4968 wrote to memory of 2528	4968	voiceadequovl.exe	voiceadequovl.exe
PID 4968 wrote to memory of 2528	4968	voiceadequovl.exe	voiceadequovl.exe
PID 4968 wrote to memory of 2528	4968	voiceadequovl.exe	voiceadequovl.exe
PID 4968 wrote to memory of 2528	4968	voiceadequovl.exe	voiceadequovl.exe
PID 4968 wrote to memory of 2528	4968	voiceadequovl.exe	voiceadequovl.exe
PID 4968 wrote to memory of 2528	4968	voiceadequovl.exe	voiceadequovl.exe
PID 4968 wrote to memory of 2528	4968	voiceadequovl.exe	voiceadequovl.exe
PID 4968 wrote to memory of 2528	4968	voiceadequovl.exe	voiceadequovl.exe
PID 4968 wrote to memory of 2528	4968	voiceadequovl.exe	voiceadequovl.exe
PID 4968 wrote to memory of 2528	4968	voiceadequovl.exe	voiceadequovl.exe
PID 4968 wrote to memory of 2528	4968	voiceadequovl.exe	voiceadequovl.exe
PID 2528 wrote to memory of 4668	2528	voiceadequovl.exe	wmic.exe
PID 2528 wrote to memory of 4668	2528	voiceadequovl.exe	wmic.exe
PID 2528 wrote to memory of 4668	2528	voiceadequovl.exe	wmic.exe
PID 2528 wrote to memory of 1200	2528	voiceadequovl.exe	cmd.exe
PID 2528 wrote to memory of 1200	2528	voiceadequovl.exe	cmd.exe
PID 2528 wrote to memory of 1200	2528	voiceadequovl.exe	cmd.exe
PID 1200 wrote to memory of 1740	1200	cmd.exe	WMIC.exe
PID 1200 wrote to memory of 1740	1200	cmd.exe	WMIC.exe
PID 1200 wrote to memory of 1740	1200	cmd.exe	WMIC.exe
PID 2528 wrote to memory of 2056	2528	voiceadequovl.exe	cmd.exe
PID 2528 wrote to memory of 2056	2528	voiceadequovl.exe	cmd.exe
PID 2528 wrote to memory of 2056	2528	voiceadequovl.exe	cmd.exe
PID 2056 wrote to memory of 2368	2056	cmd.exe	WMIC.exe
PID 2056 wrote to memory of 2368	2056	cmd.exe	WMIC.exe
PID 2056 wrote to memory of 2368	2056	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4584
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5092
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4968
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2720
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2760
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2400
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2528
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4668
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1200
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1740
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2056
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        
        PID:2368

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
42ac96468a93e33d1a156c941428d7f9

SHA1
ad6aeb254733173794343a89d37c61bc19362f8c

SHA256
5da9e6af5da6e31175d1c65cb487cc231a1314cb42502398f62f84fc981e3c34

SHA512
89749ce9fc9d8cc8260e1a344e8d591d7659d5b407737575026f881d016567cbc2f7784e4088abdcc3ed00338c31df2a82fb108d3078a264f600c2233b314d8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
362.4MB

MD5
0f934f4beadfaeaa47c749e69bb4d49d

SHA1
65aa04489062a7d4c952eb0712a7a017d2098e06

SHA256
14fb3b33719df70bae104480cd6176fc7c6011b8bb8c97cc8c50ed1a74ad6d4b

SHA512
8446d99b7a610f81448fd617a1075f4a83ee2a28c7d7cf8dafc309bd5f2d5194e4ca9db04ad5bcf2a480dd343eb4343a32fbd81685b17ee1e30f1b5e84cb8c89

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
349.6MB

MD5
10508a12fd009572c17264b0ef058141

SHA1
3de8e8cb7a2d8ea90bee93f9d3e6b8e12bf2e36e

SHA256
ce654301ea2f09db2033ff0ff59e96315e330eb8648810c71cf04ddd993a96f9

SHA512
e38b83f1da445e8de9db212b31d1c9e7807716ccd58acbcf4be44d98852b9bf854087c6ebb790017b236df0fa89259345e9bf6a53198e67647693840c5e916fb

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
317.1MB

MD5
a258fc34cb41d6aa5d865009e848e436

SHA1
3fa234433bd356515a592f45a2d7c4ab4a083f78

SHA256
fa17431e82904e6e47cb7b3c7904082909550e3a314c456138f689e2fc8dd77a

SHA512
94b21f5bdc4786df05cb98d6ad19543fe68bda52a6b001b9233282b1c6057bb060182a75ab975131faaf8219b674178170633c31d2dfcba148dec5bba70267fb

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
312.3MB

MD5
7bc82eda851aaf97e6f14383255eb0d9

SHA1
873cc329ddb243ce17d2a822ceb07ed7a4753bad

SHA256
dbf2e93e377d5a8fc9d3cd2382965042dedb614d44daad219670fd5bc726fe61

SHA512
56bf67e8c633a8ff02f27b13898164a7c0f929fe06aefb592a74dbc80aa8a0a163c7a33bd08a2d6701fac390f1c0100795440838fa30ab5d1e95263585a17afe

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
197.6MB

MD5
2b05e7dc6240d5c5c412db34f7e6209e

SHA1
88db2dfc0a79fcab929fb30af472b742a791f80f

SHA256
a1396851c9cd61d1e0c11ba019d6891ab973cc76a2e4607dde2058bddb899a7a

SHA512
f7e58c2fb5a7a9070404e63b6eb130c8793e0cab5c17f222698a7bd9cffadb4a6e5f5b05007e03e30ddcd574a39f04843dc4bddfd90cc511e2ca244351709212

Download Submit
memory/1200-165-0x0000000000000000-mapping.dmp

Download
memory/1740-166-0x0000000000000000-mapping.dmp

Download
memory/2056-167-0x0000000000000000-mapping.dmp

Download
memory/2368-168-0x0000000000000000-mapping.dmp

Download
memory/2400-164-0x0000000007790000-0x0000000007826000-memory.dmp

Filesize
600KB

Download
memory/2400-163-0x0000000007550000-0x000000000755A000-memory.dmp

Filesize
40KB

Download
memory/2400-159-0x0000000007190000-0x00000000071C2000-memory.dmp

Filesize
200KB

Download
memory/2400-160-0x0000000074EE0000-0x0000000074F2C000-memory.dmp

Filesize
304KB

Download
memory/2400-161-0x0000000006780000-0x000000000679E000-memory.dmp

Filesize
120KB

Download
memory/2400-149-0x0000000000000000-mapping.dmp

Download
memory/2400-169-0x0000000006030000-0x000000000603E000-memory.dmp

Filesize
56KB

Download
memory/2400-170-0x0000000007710000-0x000000000772A000-memory.dmp

Filesize
104KB

Download
memory/2400-171-0x00000000076F0000-0x00000000076F8000-memory.dmp

Filesize
32KB

Download
memory/2528-151-0x0000000000000000-mapping.dmp

Download
memory/2528-155-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/2528-172-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/2528-157-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/2528-152-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/2720-141-0x0000000004E50000-0x0000000004E86000-memory.dmp

Filesize
216KB

Download
memory/2720-142-0x0000000005540000-0x0000000005B68000-memory.dmp

Filesize
6.2MB

Download
memory/2720-146-0x0000000007BE0000-0x000000000825A000-memory.dmp

Filesize
6.5MB

Download
memory/2720-140-0x0000000000000000-mapping.dmp

Download
memory/2720-145-0x0000000006400000-0x000000000641E000-memory.dmp

Filesize
120KB

Download
memory/2720-144-0x0000000005DB0000-0x0000000005E16000-memory.dmp

Filesize
408KB

Download
memory/2720-143-0x0000000005C10000-0x0000000005C76000-memory.dmp

Filesize
408KB

Download
memory/2720-147-0x00000000068E0000-0x00000000068FA000-memory.dmp

Filesize
104KB

Download
memory/2760-148-0x0000000000000000-mapping.dmp

Download
memory/4668-162-0x0000000000000000-mapping.dmp

Download
memory/4968-139-0x00000000073A0000-0x00000000073C2000-memory.dmp

Filesize
136KB

Download
memory/4968-138-0x0000000000CE0000-0x0000000001454000-memory.dmp

Filesize
7.5MB

Download
memory/4968-135-0x0000000000000000-mapping.dmp

Download
memory/5092-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads